How to manage Refresh token on Safewhere*Identify


Since version 2.0, OAuth introduces Refresh token on top of its popular Access token. An access token contains information about the scopes or roles of a user to a certain service. Originally, issuing an access token means the issuer relinquishes control over that token – the issuer cannot revoke the token once it was given. This process arises many security holes. When a hacker successfully acquired the access token, it is equally as disastrous as when a thief has gained the entrance to your secret vault. The potential drama forces developers to limit the lifespan of access token to very short, typically from a few minutes to an hour – which reduces the usability since user has to frequently login. This is where refresh token comes in handy. Refresh token, which has a much longer lifetime – from a week to a few months, does not require user to login once access token is expired since the application will automatically requests a new access token at the issuer site. Moreover, implementing refresh token will improve the system security because the issuer, at any time, can revoke the given refresh token.

With pre 4.2 versions of Safewhere*Identify, in order to access to our Rest APIs, the client needs to gain a suitable access token. The process was sophisticated and time consuming. Admin will also need to write a web application that implements OAuth 2.0 to ask user to login, then send those requests to the token’s issuer. The problem escalates when working with Window Services that contains no user interaction as admin would, unavoidably, have to write a specific application to login just for this regard.

To eliminate the hassle, Safewhere*Identify has launched the API Keys that auto-generate tokens and only requires the Identify*Admin logon. You will no longer have to compromise between security and usability as Safewhere*Identify has it all cover for you.

“Any society that would give up a little liberty to gain a little security will deserve neither and lose both.”  – Ben Franklin

How to setup to get the RefreshToken and AccessToken on UI

1. Go to the connection list on Admin, select Tools\Oauth 2.0 to create the Oauth 2.0 protocol connection at Root organization 

OAuth 2 Create
2. After the “Identify OAuth2 Token for REST APIs” connection is created on the connection list, go to My profile page and select the “My REST API Key”
My Rest API Key
 3. Click “Generate” button to create the Oauth2 refresh token

4. Click “Test” button to create the Oauth2 access token



Question: Can I revoke the refresh token on my list?
Answer: Yes, you can check the checkbox “Revoke” below the refresh token you want, then click “Revoke” button
Question: How can I verify if all refresh tokens are valid?
Answer: You can see the expired date next to the token.
Question: Do my refresh tokens update with the new values in case I use “Test”feature?
Answer:As default, the refresh tokens don’t update with the new values. However, if the “Allow issue the new refresh token when exchange a refresh token for an access token” on the “Identify OAuth2 Token for REST APIs” connection is True,they will be updated with the new values every time you click “Test”.
Question: How can I manage the lifetime of the access token as well as the refresh token?
Answer: As default, the lifetime is 60 minutes. However, you need to go to the connection list, then open the edit page of the “Identify OAuth2 Token for REST APIs” connection and update the number value on the field: Token life time/Refresh token lifetime.
Was this helpful ?Good Somewhat Bad